Two zero days are Targeting DrayTek Broadband CPE Devices

Background

From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.

On December 25, 2020, due to the highly malicious nature of the attack, we disclosed on Twitter[2][3] the ongoing 0-day attack IoC without mentioning the vendor name or product lines. We also provided more details to some national CERTs.

On February 10, 2020, the manufacturer DrayTek issued a security bulletin[4], which fixed the vulnerability and released the latest firmware program 1.5.1. (here we actually have an easter egg we might talk about later)

Vulnerability analysis

With the help of 360 Firmware Total system [5], we are able to perform vulnerability research . The two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd.

The script /etc/mailsend.shis used to eavesdrop on all network interfaces on the DrayTek Vigor network device to listen on the ports 21, 25, 143, and 110. The tcpdump command /usr/sbin/tcpdump -i any -n -nn port 21 or port 25 or port 143 or port 110 -s 65535 -w /data/firewall.pcap &runs in the background, and a crontab is in place to upload the captured packets to https://103.82.143.51:58443/uploLSkciajUS.php every Monday, Wednesday, Friday at 0:00.

Attack group B

Attacker B uses the rtick command injection vulnerability to create 2 sets of Web Session backdoors that never expires in the file /var/session.json

Web Session backdoor

When we study the 0-day PoC, we noticed that when the session parameter updatetime is set to 0, DrayTek Vigor network device never logs out unless the device is rebooted. (aka Auto-Logout: Disable)

Timeline

2019/12/04 We discovered ongoing attacks using the DrayTek Vigor 0-day keyPath vulnerability
2019/12/08 We reached out to a channel to report the vulnerability (but only later on found it did not work out)
2019/12/25 We disclosed on twitter the IoC and provided more details to some national CERTs.
2020/01/28 We discovered ongoing attacks using the DrayTek Vigor 0-day rtick vulnerability
2020/02/01 MITRE published the CVE-2020-8515
2020/02/10 DrayTek released a security bulletin and the latest firmware fix.

Suggestions

We recommend that DrayTek Vigor users check and update their firmwares in a timely manner, and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc on their systems.

We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.

Contact us

Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.